James R. Mirick sets the record straight on things he cares about

How to Protect Your Most Private Files

Lets say that you are using all the right techniques for protecting yourself out on the Internet — as outlined in my previous posts (here, and here), including using an ID / password database like LastPass. But right on your own machine you have sensitive and personal files, perhaps your tax returns, your investment worksheets, private letters, or the details of your opinion of your manager at work. You don’t want these to be broadcast to the world, or to fall into the wrong hands. But if they’re on your own computer they’re safe, right? Wrong, for two reasons:

You might lose your laptop — someone might steal it, or you might accidentally abandon it in an airport, a cab, or a cafe. Your files just became available. This problem is magnified if you keep these files on a USB drive — a pocket or “thumb” drive — which is easier than a pencil to lose. Note that an astounding 12,000 laptops are lost in US airports every week, and 2/3rds of them are never recovered.

Your computer might ingest some virus, worm, or other malware specimen, that just might be trained to browse around and transmit to who knows who anything interesting it finds in your machine.

So, relying on physical custody of the machine, or relying on it being in your bedroom but still connected to the Internet, is not a winning strategy. Before you take to filling out your tax forms in longhand, there is a very good solution: store these files in an encrypted vault on your hard drive, a vault that only you have the key for.

There are products out there that get advertised as “secure” and “encrypted by a secret, proprietary method,” and you should stay away from these as they can be broken into quite literally in minutes. You need to use something that uses the standard encryption approaches that the government uses — AES (the Advanced Encryption Standard), Twofish, or the like. These will protect your vault — if you choose a strong key — literally centuries after you are dead and gone.

The best of these is a package called TrueCrypt, which I use myself. And please note that I receive nothing whatsoever from them for this endorsement, I recommend it because I use it and for no other reason. Plenty of heavy-duty security gurus are TrueCrypt users, so you don’t have to take my word for it. And it comes for Windows, Mac, and Linux systems.

Here’s what you do. Go to the TrueCrypt website, download it, and install it. Then, when you’re ready to create a private vault, decide how many megabytes you want in the vault, and follow their instructions to allocate and create it. Create a strong password — a really random one — perhaps using LastPass to generate it. TrueCrypt will format the vault, and thereafter it will behave just like another disk drive on your machine: you can copy to and from it, edit files in it as if they were not encrypted, and so on. TrueCrypt encrypts and decrypts “on the fly” as you use it, you are never aware that this is anything but a real disk drive.

And this works on a USB drive, too, and you can even encrypt the entire USB space if you want, it’s that flexible. Each TrueCrypt vault has a password associated with it (they could always be the same, I suppose) and anyone who looks at them will see only a mass of gibberish — no file names, no nothing at all. The secret is in the password. Use a package such as PasswordSafe, LastPass, or a website like Steve Gibson’s password generator, to get a nice, long, really high-entropy one that will resist even a focused, brute-force attack.

Just as a sidelight, TrueCrypt can be handled in a way that effectively hides even the existence of the vault in such a way as to provide plausible deniability that there is any encrypted data at all. They describe this in their documentation here. Needless to say, dictators and repressive regimes throughout the world are very displeased with TrueCrypt for this reason!

One of the things you have to do when you start to deal with Internet security is to make the assumption that the worst will in fact happen, and take steps for that eventuality. TrueCrypt should be one of these steps.